Methods for Determining Illegal Collection and Use of Personal Information by Apps

Promulgation Authorities: Cyberspace Administration of China

Release Date: 2019-11-28

Effective Date: 2019-11-28

Source: https://www.cac.gov.cn/2019-12/27/c_1578986455686625.htm

Original Title: App违法违规收集使用个人信息行为认定方法

In accordance with the "Notice on Carrying Out Special Governance on Illegal Collection and Use of Personal Information by Apps," this method is formulated to provide reference for the competent authorities to determine the illegal collection and use of personal information by apps, to provide guidance for self-inspection and self-correction by app operators, and to facilitate social supervision by netizens, and to implement laws and regulations such as the Cybersecurity Law.

I. The following behaviors can be identified as "failure to disclose collection and usage rules":

1. There is no privacy policy in the app, or the privacy policy does not contain rules for collecting and using personal information;

2. Users are not prompted to read the privacy policy or other collection and usage rules through obvious means such as pop-up windows when the app is first launched;

3. The privacy policy or other collection and usage rules are difficult to access, requiring more than 4 clicks or other operations to access after entering the main interface of the app;

4. The privacy policy or other collection and usage rules are difficult to read, with small, dense text, faint colors, blurry content, or no simplified Chinese version provided.

II. The following behaviors can be identified as "failure to clearly state the purpose, method, and scope of collecting and using personal information":

1. The purposes, methods, and scope of collecting and using personal information by the app (including entrusted third parties or embedded third-party code, plugins) are not listed separately;

2. When the purposes, methods, and scope of collecting and using personal information change, users are not notified in an appropriate manner, such as updating the privacy policy or other collection and usage rules and reminding users to read them;

3. When applying for permission to collect personal information or sensitive personal information such as user ID, bank account number, or location trajectory, the purpose is not clearly stated, or it is difficult to understand;

4. The content of the collection and usage rules is obscure and lengthy, making it difficult for users to understand, such as the use of a large number of professional terms.

III. The following behaviors can be identified as "collecting and using personal information without user consent":

1. Collecting personal information or opening permissions to collect personal information before obtaining user consent;

2. Continuing to collect personal information or open permissions to collect personal information after the user clearly expresses disagreement, or frequently soliciting user consent, interfering with normal use;

3. The actual personal information collected or permissions opened to collect personal information exceed the user's authorized scope;

4. Using default opt-in methods such as agreeing to the privacy policy without explicit consent;

5. Changing the status of the permissions to collect personal information without the user's consent, such as automatically restoring the user's settings to default when the app is updated;

6. Using user personal information and algorithms for targeted push notifications without providing an option for non-targeted notifications;

7. Deceiving or misleading users into consenting to the collection and use of personal information or opening permissions through fraudulent or deceptive means, such as deliberately deceiving or concealing the true purpose of collecting and using personal information;

8. Failing to provide users with a way or method to withdraw consent for the collection and use of personal information;

9. Violating the stated collection and usage rules by collecting and using personal information.

IV. The following behaviors can be identified as "violating the principle of necessity, collecting personal information unrelated to the services provided":

1. Collecting types of personal information or opening permissions to collect personal information unrelated to existing business functions;

2. Refusing to provide business functions because users refuse to provide unnecessary personal information or grant unnecessary permissions;

3. When applying for personal information to be collected for new business functions, the types of personal information collected exceed the user's original consent, except when users refuse to provide consent, in which case new business functions replace existing ones;

4. Collecting personal information more frequently than necessary for business functions;

5. Forcing users to agree to the collection of personal information by citing reasons such as improving service quality, enhancing user experience, targeted push notifications, or developing new products;

6. Requiring users to agree to open multiple permissions to collect personal information at once, without which users cannot use the app.

V. The following behaviors can be identified as "providing personal information to others without consent":

1. Without user consent or anonymization, the app client directly provides personal information to third parties, including third-party code embedded in the client or plugins;

2. Without user consent or anonymization, after the data is transmitted to the app backend server, it provides the collected personal information to third parties;

3. The app accesses third-party applications and provides personal information to third-party applications without user consent.

VI. The following behaviors can be identified as "failure to provide functions for deleting or correcting personal information as required by law" or "failure to disclose information such as complaint and reporting channels":

1. Failing to provide effective functions for correcting, deleting personal information, and canceling user accounts;

2. Setting unnecessary or unreasonable conditions for correcting, deleting personal information, or canceling user accounts;

3. Although the functions for correcting, deleting personal information, and canceling user accounts are provided, failing to respond promptly to user operations that require manual processing, and failing to complete verification and processing within the promised time limit (the promised time limit shall not exceed 15 working days, and if there is no promised time limit, it shall be limited to 15 working days);

4. Although the user's operations for correcting, deleting personal information, or canceling user accounts have been completed, the app backend has not completed the corresponding operations;

5. Failing to establish and publicize channels for complaints and reports on personal information security, or failing to accept and handle them within the promised time limit (the promised time limit shall not exceed 15 working days, and if there is no promised time limit, it shall be limited to 15 working days).